如何在没有硬编码值的情况下编写此SQL语句?
resultSet = statement
.executeQuery("select * from myDatabase.myTable where name = 'john'");
// this works
rather have something like:
String name = "john";
resultSet = statement
.executeQuery("select * from myDatabase.myTable where name =" + name);
// Unknown column 'john' in 'where clause' at
// sun.reflect.NativeConstructorAccessorImpl.newInstance0...etc...
以当前的方法构建SQL查询是一个可怕的想法,因为它会为各种SQL注入攻击打开大门。要正确地执行此操作,您需要使用预处理语句。这也将解决您目前显然遇到的所有转义问题。
PreparedStatement statement = connection.prepareStatement("select * from myDatabase.myTable where name = ?");
statement.setString(1, name);
ResultSet resultSet = statement.executeQuery();
请注意,prepareStatement()是一个昂贵的调用(除非您的应用程序服务器使用语句缓存和其他类似设施)。理论上,最好只准备一次语句,然后多次重复使用它(尽管不是同时使用):
String[] names = new String[] {"Isaac", "Hello"};
PreparedStatement statement = connection.prepareStatement("select * from myDatabase.myTable where name = ?");
for (String name: names) {
statement.setString(1, name);
ResultSet resultSet = statement.executeQuery();
...
...
statement.clearParameters();
}
你的字符串缺少单引号,正确的代码如下:
String name = "john";
String sql = "select * from myDatabase.myTable where name = '" + name + "'";
// Examine the text of the query in the debugger, log it or print it out using System.out.println
resultSet = statement.executeQuery(sql);
在执行查询之前,打印出/记录下查询的文本,以查看是否正确。
如果您要执行许多类似的查询,只有常量发生变化,请考虑使用预处理语句。
String name = "john";
resultSet = statement
.executeQuery("select * from myDatabase.myTable where name =" + "'" + name + "'");
你需要在值周围加引号('john' 而不是 john)...
请尝试以下操作:
String name = "john";
resultSet = statement
.executeQuery("select * from myDatabase.myTable where myTable.name = '" + name + "'");
在你的name值周围加上引号,因为它是一个字符串。
"select * from myDatabase.myTable where name ='" + name + "'"